FTP PASV mode usage on the net I just connected to microsoft's FTP server to get stats on the percentage of individuals using the FTP passive mode, a copy of the session follows: ------------------------------------------------------------- telnet FTP.MICROSOFT.COM 21 Trying 198.105.232.1... Connected to ftp.microsoft.com. Escape character is '^]'. 220 ftp Microsoft FTP Service (Version 3.0). USER FTP 331 Anonymous access allowed, send identity (e-mail name) as password. PASS FTP 230-This is FTP.MICROSOFT.COM 230-Please see the dirmap.txt file for 230-more information. 230 Anonymous user logged in. SITE STATS 200-ABOR : 302878 ACCT : 6 ALLO : 1 APPE : 12 CDUP : 180296 CWD : 2643776 DELE : 969 HELP : 2825 LIST : 1960318 MKD : 763 MODE : 315 NLST : 58931 NOOP : 539571 PASS : 1593667 PASV : 1428243 PORT : 2120405 PWD : 1080190 QUIT : 349168 REIN : 13 REST : 293760 RETR : 1495575 RMD : 240 RNFR : 158 RNTO : 16 SITE : 3933 STAT : 6098 STOR : 6566 STRU : 550 SYST : 381727 TYPE : 3183166 USER : 1610611 XCWD : 21 XMKD : 39 XPWD : 1866 XRMD : 23 200 End of stats. QUIT 221 Thank you for using FTP.MICROSOFT.COM! ------------------------------------------------------------- Here's the highlights: PASV : 1428243 PORT : 2120405 PASV mode usage accounts for 40.25% of the users on microsoft's site while PORT mode usage accounts for 59.75%. That means that if an FTP pizza thief program is successful in beating out connections to the data port 50% of the time, you'd be able to DoS 20% of the users and obtain 20% of the information flowing through the site. If you'd like to try getting the Microsoft site stats yourself it's quite simple. In Windows, click on the START button, click on RUN, type in (without the quotes) "telnet ftp.microsoft.com 21" and click on OK. You will see "220 ftp Microsoft FTP Service (Version 3.0)" and at that point you can type (but you won't see your typing) "USER FTP" followed by the enter key, then type "PASS FTP" followed by the enter key. You will now see "230 Anonymous user logged in" if you logged in OK. If not, you may want to see what you're typing.. click on Terminal, Preferences, and check the box that says "local echo" and click on OK. Now dump the site statistics by typing "SITE STATS" and then hit enter. That's all there is to it. After doing "SITE STATS" if you feel like it type "PASV" and hit enter. It will respond like this: "227 Entering Passive Mode (198,105,232,1,13,131)." The 198,105,232,1 is the internet address of the microsoft server. The 13,131 is the magic port number that has been opened for you. now do another PASV command.. you'll see the port number (last two numbers) change. Watch this: 227 Entering Passive Mode (198,105,232,1,14,242). pasv 227 Entering Passive Mode (198,105,232,1,14,252). That was two PASV commands almost right after each other. The data port incremented by 10 (242 to 252). That means that ports 243,244,245,246,247,248,249,250,251 were allocated for other people within that split second. If I have a program to try connecting to those ports and I actually connect before the other people get to them, I get the data they should have gotten.. all this because I can guess at what ports they're using by what ports I'm being given. I can also guess that the next ports 253,254,255... will be allocated and because I'm trying to connect at the same time as someone else is being told "here's a port for you to use", I get an even faster jump on them. Have fun and play around with it.. let me know what questions you have. Also let me know what questions people have about the exploit.. after I have those, I'll write a more directed and detailed synopsis. -Jeff Gerber